Threat Modeling and Risk Analysis for Developers and Testers · 2 Threat Modeling and Risk Analysis...
Transcript of Threat Modeling and Risk Analysis for Developers and Testers · 2 Threat Modeling and Risk Analysis...
1Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 1
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. REV-03.18.2016.0
Threat Modeling and Risk Analysis for Developers and TestersMatt Trevors
2Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 2
Threat Modeling and Risk Analysis for Developers and TestersCopyright 2016 Carnegie Mellon University
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense.
References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
OCTAVE® is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University.
Operationally Critical Threat, Asset, and Vulnerability EvaluationSM
DM-0004042
3Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 3
Agenda
•Who am I•Why•Terms•OWASP Top 10•STRIDE Threat Modeling•OCTAVE Allegro Risk Analysis•Mitigation Strategies•Summary
4Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 4
When, What, and Why?
•Sooner rather than later•Functional vs. Security Testing
5Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 5
Terms
•Threat•Vulnerability•Asset•Risk•Quantitative•Qualitative•STRIDE•OCTAVE
6Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 6
The Open Web Application Security Project
OWASP Top 10 Web (2013)A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object Reference
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
• International Community• Top 10 Lists (Web, Mobile, Proactive Controls, etc.)• Tools (Zed Attack Proxy)• Software Assurance Maturity Model (SAMM)
7Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 7
Threat Modeling with STRIDE
• Spoofing (Authentication)• Tampering (Integrity)• Repudiation (Non-repudiation)• Information Disclosure (Confidentiality)• Denial of Service (Availability)• Elevation of Privilege (Authorization)
Process DataStore
ExternalEntity
S T R I D EExternalEntity X X
Process X X X X X X
DataFlow X X X
DataStore X X X X
DataFlow
8Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 8
Threat Modeling with STRIDE
S T R I D EExternalEntity X X
Process X X X X X X
DataFlow X X X
DataStore X X X X
WebBrowser RESTfulAPI
CustomerData
WWW(GUI)
Syslogs
DatabaseBackup
RDBMS
Is there a threat of a threat actor {S|T|R|I|D|E} a(n) {EE|Proc|DF|DS} by exploiting a(n) {A[1-10]} vulnerability?
9Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 9
OCTAVE Allegro
• Qualitative Risk Analysis (pinch of quantitative)
• Helps prioritize work• 8 Steps
10Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 10
OCTAVE Allegro - Risk Measurement Criteria
Impact Area Low Moderate HighPatient Safety No, or negligible impact on
patient treatment. Delay is less than ___ hours
Treatment of the patient aided by system components has been delayed more than ___ hours
Treatment of the patient aided by system components has been delayed more than ___ hours or delayed indefinitely
Regulatory/Legal Issue No, or negligible impact on regulatory or legal standing
Issue requires legal and/or regulatory review requiring agencies and/or customers and/or the public to be notified
The issue requires legal and/or regulatory review requiring agencies and/or the public to be notified. The issue also requires corrective and preventative action that affects more than ____% of existing customers.
Brand Damage Reputation is minimally affected; little or no effort or expense is required to recover.
Reputation is damaged, and some effort and expense are required to recover.
Reputation is irrevocably destroyed or damaged.
Loss of Productivity Loss of less than ______% of development time to address issue over a period of ____ days
Loss of between _____% and _____% development time to address issue over a period of _____ days
Loss of greater than _____% development time to address issue over a period of ____ days
Customer Confidence Less than _______% reduction in customersdue to loss of confidence
_______to _______%reduction in customersdue to loss of confidence
More than _______%reduction in customersdue to loss of confidence
11Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 11
OCTAVE Allegro
12Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 12
OCTAVE Allegro
• Example– Spoofing -> External Entity– Multiply L/M/H damage for each Risk Measurement Criteria
(L = 1, M = 2, H = 3)• Patient Safety (5) x L = 5• Regulatory/Legal (4) x H = 12• Brand Damage (3) X M = 6• Productivity (2) x L = 2• Confidence (1) x H = 5
– Total Risk Score = 30– Complete for each applicable STRIDE category/STRIDE entity– Order from highest to lowest Risk Score
13Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 13
Mitigation
• NIST SP 800-53 Controls Catalog• ISO 27000 series (27002, 27034, etc.)• FIPS 140-2• IETF standards (OAuth 2.0, TLS, PBKDF2)
DO NOT ROLL YOUR OWN!!!!!!!
14Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 14
Summary
• Familiarize with OWASP• Create STRIDE DFD• Define OCTAVE Allegro Risk Measurement Criteria• Complete OCTAVE Allegro spreadsheets (STRIDE/OWASP)• Calculate Risk Scores• Sort/Rank based on Risk Scores (highest to lowest)• Identify industry standard mitigations• Calculate effort (for planning purposes)• Practice, Practice, Practice… Training, Training, Training
15Threat Modeling and Risk Analysis for Developers and Testers© 2016 Carnegie Mellon University
[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. 15
The End
Thank You!